Good keyloggers also detail what program the keystrokes were typed into.

Settings

For this tutorial I will be using images from Unknown Logger V 1.3.3 as I believe that it is very thorough logger but there are many free keyloggers
which I will link in another section.

There are two ways that you can receive your keylogs email or FTP.

Email :

With email I recommend you create a two new email addresses (one for sending and one for receiving) and not to use your personal email.
Gmail is usually what people use as it can hold lots of logs and is secure if you have the settings right.

Email Address: you put your email address into that, obviously.

Password: you put in the password of your keylogger email. I recommend your new email address has a different email than your personal email address because if you have it as your recovery email they can see the address and login with the same pass.

SMTP Server: is where you get your email. So for Gmail it would be smtp.gmail.com and for Hotmail it would be smtp.live.com . You can search for these if you are not sure.

Logs Sent To

you put where the logs will be sent to. You could set this as the same email address you used in the first field but this would be less secure and you would be much safer having them sent to a different email with a different pass.

Port: this is the SMTP port. For Gmail this port is 587. You should look up what port your email provider uses.

FTP :

For FTP you need an FTP server. There are many sites that offer FTP like http://www.drivehq.com or just go here: http://www.lmgtfy.com/?q=free+website+hosting+ftp

Username: Your FTP Username (you will be given this)

Password: You will be given this or asked to make one depending on host

URL: This is the FTP address where it will save logs. You will be given the address by your host.

I would advise you to test these. Lots of keyloggers offer you a button to test.

Icon

Icons add to your servers credibility.
Location: you put the address of the icon you want to use here. If you are going to be crypting or binding there’s no need.

File Pumper

File Pumpers increase the size of the server file. This is used to make it more believable.
Add: here you put how many KB/MB/GB you want to increase your file by.
In: Here you select what format the number you had in the Add box was in (KB, MB or GB). KB stand for Kilobytes and would be used for very small amounts. MB stands for Megabyte and would be best if you are say, binding it with a song. Songs are usually 4-6MB. GB stands for Gigabytes and would be used for huge files like Adobe C26 Suite would be 200GB or more.

Send Logs Time Interval

This is important. This is how often you want the logger to send keylogs. Don’t set it too small because you would just get lots of very short logs, and don’t set it too high to say 2 hours as your victim mightn’t use the PC for that long and it would never get sent. Best setting would be 30-60 mins.

Server: just the name that it will put in the file it outputs.
The checkbox is self-explanatory.

Antis

These disable or make your server undetectable to antiviruses and sandboxes and other forms of security. It varies from program to program what way the antis work. I would advise enabling these as they allow your keylogger to be on the computer for longer.

Spreaders

These are methods of infecting more computers using your victims computer. They operate by infecting files sent on P2P programs (Limewire, Shareaza, Emule, Bearshare etc.), infecting USB drives (USB), sending files over LAN (LAN), infecting specific filetypes (Rar, Zip) sending files of chat and messaging applications (Outlook, Omegle, MSN, Yahoo, Skype, ICQ) and other methods.
Spreaders are always handy for getting more victims with little effort as it uses your victims computer power rather than your time and energy.

Stealers

Stealers take logins and keys for various programs. They make the process of taking usernames and passwords a lot quicker as you won’t need to search through endless logs.

Fake Message

Possibly the silliest feature (yet for some reason every RAT and Keylogger has one) and one I would advise you not to use it. Basically what it does is bring up a fake error message on your victims PC. If you do use this it will be quite obvious to the user that their PC is infected and they will remove your keylogger.

Webcam Logger

This will take pictures/video with the webcam on the victims PC if they have one. Set the interval the same as the logs interval before if you want to use it.

Screen Logger

This will take screenshots of the victims screen every period of time. Set it the same as logs too if you want to use it. If it is set too low you will have too much data.

Clipboard Logger

This saves text that the victim copies to the clipboard. So basically every thing copy is saved.

Download and Execute

It is very important that you have this on every keylogger or RAT that you use. It allows you to install another keylogger or RAT on your victims PC. This mean that you can change to a different RAT or keylogger later or give some victims to a friend or what not.

Add link(s) to places where you can put a file to download and execute if you ever need it eg: http://www.dropbox.com/5235121/public/newserver.exe OR you can make a shortened link at ******* and direct it to your server when you need it.

Webpage Loader/Ad Visitor

This opens webpages and ads. Its obvious and would alert your victim that they are infected. You would use affiliate links and other methods to get money from this feature.

Run at Startup

It will start the keylogger on start up. Tick it no matter what.

Melt

This deletes the server file once it has infected the PC.

Mutex

Click + several times. This helps make it more undetectable.

Text to Speech

This will play a message using Windows text-to-speech feature when server is installed. Similar to Fake Message it alerts the victim that they are infected and has no benefit so I advise you not to use it

Assembly Changer

This changes the Assembly Information on your file. If you go to the properties of any file on your computer and go to Properties>Assembly you will see information about the file. That’s what the Assembly Changer changes.

Cookie Deleters

These are brilliant! If your victim has saved their passwords for different sites they wont need type them in and your keylogger wont get them so what this does is delete their cookies so that they have to login again.

Website Blocker

This blocks websites. The options given in this picture block Virus scanning websites but you can add other sites too.

Disablers

These disable different windows features on the victims computer so that it is harder for them to remove your virus. If your victim is savvy they will notice this straight away and remove the keylogger very quickly. I wouldn’t use these except maybe Disable system restore, disable registry tools and disable registry as these are not used as often and wouldn’t be noticed.

What Next?

Worming

Worms make your victim spread your virus to his contacts and whatever the plug their USB stick into etc. Our example above had worm options (spreaders) but not every keylogger, RAT etc have worm/spreading options.

Crypting

Crypting is important if you want to get lots of victims and keep them for a long time. It makes your server undetectable to Anti-viruses.

FUD stands for Fully-undetectable and UD stands for Un-Detectable. FUD crypters are the best especially private ones.

Binding

Binding is when you bind your server with another file or program. It is very useful for spreading. You would bind your server with chessgame.exe (for example) and say “Hey check this cool game out!” and when they open it the game will open but so will the RAT. The victim would be none the wiser on whether they were infected or not whereas they would be suspicious if nothing opened.

Spreading

These are methods of getting victims for your keylogger. You should get a few and use them as effectively as possible.

How do I Protect Myself Against Keyloggers?

Having an Anti Virus would be a start! Obviously be careful with what you download too.
There is a tool that I think works very well against keyloggers.

Its is called KeyScrambler. Whenever you type something it randomizes it so that if a keylogger has infected your PC they would just get logs of jumbled numbers, letters and symbols.

If you don’t want to use keyscrambler there is also Zemana Anti-Keylogger

How To Reverse Engineer a Keylogger?

This is my favorite part. If you know your PC is infected or a file is infected you can get the email login or FTP login from the server. People also go “whaling” and download obvious viruses from youtube to steal lots of keylogs and slaves from skids.

There are two ways to do this and I will explain both below.

Wireshark

1. Download and install WireShark if you do not already have it: http://www.wireshark.org/download.html . While it is installing make sure Winpcap gets installed with it.

2. If you have an infected file and are not yet infected then open it in SandBoxie or VirtualBox or VMWare and follow these steps within the virtual machines. If you are already infected you can skip to the next step.

3. Once it is installed open it up and click “Capture” on the top menu and select the interface – if you are following in a virtual machine select that otherwise select windows or your network card.

4. Leave it on like that for about half an hour. This is to make sure the keylogger actually does connect back while you are capturing packets. (refer back to “Time Intervals”)

5. When it is done you need to filter through the results for the FTP or email login. Type “FTP” in the filter box and search. If a login comes up for that then they have used an FTP server to take your key-logs. In case it doesn’t work, try “SMTP” to search for email login.

If this dosen’t work then either –
the keylogger hasn’t connected back
You did something wrong
You are not infected

6. Now that you have their login details you can take all their keylogs and delete their keylogs of you. Then just change the password so they no longer have access Big Grin

# This is what they say

Martin

Hello :), I have been following your tutorials and think they are really good. I have basic pentesting skills and know basically how to use Kali, metasploit etc. but have no coding skills which is something I will be working on, but I would like to ask you if you would tutor me, against compensation of course in regards to getting things working, I mean if I’m stuck I could ask you for advice, this way I would learn faster and not waste days on a problem, and you would be able to supplement your income wile you study, I would need maybe 4-6 hours per week. If you find it int. let talk rates and get going :), best regards Martin.

26th January 2018 at 5:47 PM

Eitan

Hello dear, I am very impressed about your tutorials, you doing a great job revealing so many valuable hacking methods. I been playing around long time and yet i couldn’t find a stable RAT which pass runtime in 8 and 10. Please share it with me, i don’t mind pay some coins for coding, we all know quality things costs money. Waiting on your reply, thanks.

18th December 2017 at 2:12 AM

Jacob Mason

Hi, Hope you are doing great I know you are busy, so I will be quick. I came across your blog (hackeroyale.com) and found it quite interesting. I feel my writings could be a source of great interest to your readers. I’m really looking forward to getting my work published on your blog. Thanks for your time and keep the awesome work. Much Regards Jacob Mason